Add method arg validations to all public API methods

lib/sirp/client.rb

@@ -7,6 +7,9 @@ class Client
     #
     # @param group [Integer] the group size in bits
     def initialize(group = 2048)
+      raise ArgumentError, 'must be an Integer' unless group.is_a?(Integer)
+      raise ArgumentError, 'must be a known group size' unless [1024, 1536, 2048, 3072, 4096, 6144, 8192].include?(group)
+
       @N, @g, @hash = Ng(group)
       @k = calc_k(@N, @g, hash)
     end
@@ -34,6 +37,13 @@ def start_authentication
     # @param xbb [String] the server verifier 'B' value in hex
     # @return [String] the client 'M' value in hex
     def process_challenge(username, password, xsalt, xbb)
+      raise ArgumentError, 'username must be a string' unless username.is_a?(String) && !username.empty?
+      raise ArgumentError, 'password must be a string' unless password.is_a?(String) && !password.empty?
+      raise ArgumentError, 'xsalt must be a string' unless xsalt.is_a?(String)
+      raise ArgumentError, 'xsalt must be a hex string' unless xsalt =~ /^[a-fA-F0-9]+$/
+      raise ArgumentError, 'xbb must be a string' unless xbb.is_a?(String)
+      raise ArgumentError, 'xbb must be a hex string' unless xbb =~ /^[a-fA-F0-9]+$/
+
       # Convert the 'B' hex value to an Integer
       bb = xbb.to_i(16)
 
@@ -75,6 +85,9 @@ def process_challenge(username, password, xsalt, xbb)
     # @return [true,false] returns true if the server and client agree on the H_AMK value, false if not
     def verify(server_HAMK)
       return false unless @H_AMK && server_HAMK
+      return false unless server_HAMK.is_a?(String)
+      return false unless server_HAMK =~ /^[a-fA-F0-9]+$/
+
       # Hash the comparison params to ensure that both strings
       # being compared are equal length 32 Byte strings.
       secure_compare(Digest::SHA256.hexdigest(@H_AMK), Digest::SHA256.hexdigest(server_HAMK))

lib/sirp/verifier.rb

@@ -7,7 +7,9 @@ class Verifier
     #
     # @param group [Integer] the group size in bits
     def initialize(group = 2048)
-      # select modulus (N) and generator (g)
+      raise ArgumentError, 'must be an Integer' unless group.is_a?(Integer)
+      raise ArgumentError, 'must be a known group size' unless [1024, 1536, 2048, 3072, 4096, 6144, 8192].include?(group)
+
       @N, @g, @hash = Ng(group)
       @k = calc_k(@N, @g, hash)
     end
@@ -24,6 +26,9 @@ def initialize(group = 2048)
     # @param password [String] the authentication password
     # @return [Hash] a Hash of the username, verifier, and salt
     def generate_userauth(username, password)
+      raise ArgumentError, 'username must be a string' unless username.is_a?(String) && !username.empty?
+      raise ArgumentError, 'password must be a string' unless password.is_a?(String) && !password.empty?
+
       @salt ||= SecureRandom.hex(10)
       x = calc_x(username, password, @salt, hash)
       v = calc_v(x, @N, @g)
@@ -39,6 +44,14 @@ def generate_userauth(username, password)
     # @param xaa [String] the client provided 'A' value in hex
     # @return [Hash] a Hash with the challenge for the client and a proof for the server
     def get_challenge_and_proof(username, xverifier, xsalt, xaa)
+      raise ArgumentError, 'username must be a string' unless username.is_a?(String) && !username.empty?
+      raise ArgumentError, 'xverifier must be a string' unless xverifier.is_a?(String)
+      raise ArgumentError, 'xverifier must be a hex string' unless xverifier =~ /^[a-fA-F0-9]+$/
+      raise ArgumentError, 'xsalt must be a string' unless xsalt.is_a?(String)
+      raise ArgumentError, 'xsalt must be a hex string' unless xsalt =~ /^[a-fA-F0-9]+$/
+      raise ArgumentError, 'xaa must be a string' unless xaa.is_a?(String)
+      raise ArgumentError, 'xaa must be a hex string' unless xaa =~ /^[a-fA-F0-9]+$/
+
       # SRP-6a safety check
       return false if (xaa.to_i(16) % @N).zero?
 
@@ -72,6 +85,11 @@ def get_challenge_and_proof(username, xverifier, xsalt, xaa)
     # @param client_M [String] the client provided 'M' value in hex
     # @return [String, false] the H_AMK value in hex for the client, or false if verification failed
     def verify_session(proof, client_M)
+      raise ArgumentError, 'proof must be a hash' unless proof.is_a?(Hash)
+      raise ArgumentError, 'proof must have required hash keys' unless proof.keys == [:A, :B, :b, :I, :s, :v]
+      raise ArgumentError, 'client_M must be a string' unless client_M.is_a?(String)
+      raise ArgumentError, 'client_M must be a hex string' unless client_M =~ /^[a-fA-F0-9]+$/
+
       @A = proof[:A]
       @B = proof[:B]
       @b = proof[:b].to_i(16)

spec/parameters_spec.rb

@@ -8,7 +8,8 @@
   #
   context 'parameters' do
     it 'should raise an error on unknown verifier group size' do
-      expect { SIRP::Verifier.new(1234) }.to raise_error(NotImplementedError, 'unknown group size')
+      expect { SIRP::Client.new(1234) }.to raise_error(ArgumentError, 'must be a known group size')
+      expect { SIRP::Verifier.new(1234) }.to raise_error(ArgumentError, 'must be a known group size')
     end
 
     before :all do

spec/verifier_spec.rb

@@ -94,7 +94,7 @@
       v = '321307d87ca3462f5b0cb5df295bea04498563794e5401899b2f32dd5cab5b7de9da78e7d62ea235e6d7f43a4ea09fea7c0dafdee6e79a1d12e2e374048deeaf5ba7c68e2ad952a3f5dc084400a7f1599a31d6d9d50269a9208db88f84090e8aa3c7b019f39529dcc19baa985a8d7ffb2d7628071d2313c9eaabc504d3333688'
       _proof = { A: aa, B: bb, b: @b, I: @username, s: @salt, v: v }
       verifier = SIRP::Verifier.new(1024)
-      verifier.verify_session(_proof, 'match insignificant')
+      verifier.verify_session(_proof, 'abc123')
       expect(verifier.S).to eq '7f44592cc616e0d761b2d3309d513b69b386c35f3ed9b11e6d43f15799b673d6dcfa4117b4456af978458d62ad61e1a37be625f46d2a5bd9a50aae359e4541275f0f4bd4b4caed9d2da224b491231f905d47abd9953179aa608854b84a0e0c6195e73715932b41ab8d0d4a2977e7642163be6802c5907fb9e233b8c96e457314'
       expect(verifier.K).to eq '404bf923682abeeb3c8c9164d2cdb6b6ba21b64d'
     end